GET /attestation
Returns the live attestation envelope for the router pod that served the request. Customers verify this envelope against a signed trust bundle (released out-of-band) to pin their HTTPS traffic to a specific enclave measurement and TLS public key.
For the threat model, ceremony, and verifier algorithm, see Concepts → Attestation.
200 OK with Content-Type: application/json. All hex fields are lowercase.
{
"schema": "tresor.attestation/v1",
"workload": "router",
"snp_report_b64": "PHNucCByZXBvcnQuLi4+",
"vcek_chain_pem": "-----BEGIN CERTIFICATE-----\n...",
"tls_spki_sha256": "9b8c…",
"workload_identity_tag": "a1b2…",
"workload_identity_manifest_jws": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCIsImtpZCI6Ii4uLiJ9.eyJzY2hlbWEiOiJ3b3JrbG9hZC1pZGVudGl0eS92MSIsIndvcmtsb2FkIjoicm91dGVyIiwidmVyc2lvbiI6InYxLjQyLjMiLCJpbWFnZV9kaWdlc3QiOiJzaGEyNTY6Li4uIn0.…",
"trust_bundle_url": "https://trust.tresor.co/api/router.json",
"issued_at": "2026-04-01T12:00:00Z",
"max_age_seconds": 600
}
| Field | Description |
|---|---|
schema | Always tresor.attestation/v1. Increment on breaking envelope changes. |
workload | Logical workload name (router). |
snp_report_b64 | Standard-base64 of the AMD SEV-SNP attestation report (binary, ≈ 1 184 bytes). |
vcek_chain_pem | PEM-concatenated VCEK + ASK + ARK certificates issued by AMD for the host CPU. May be empty in dev mode. |
tls_spki_sha256 | SHA-256 of the leaf TLS certificate's SubjectPublicKeyInfo (DER), 64 hex chars. Customers compare to the live SPKI of the connection. |
workload_identity_tag | SHA-256(workload_identity_manifest_jws_bytes), 64 hex. Stable per release; baked into the binary at build time. Folded into the SHA-384 qualifyingData of the TPM quote, so a different binary cannot impersonate the endpoint without minting a new TPM-signed quote. |
workload_identity_manifest_jws | Compact JWS over payload schema workload-identity/v1 (workload, version, image_digest, binary_digest, build_metadata). Signed by the workload-manifest key named in trust_bundle.delegated_keys.workload_manifest; for legacy bundles without that field, signed by the release-root key directly. Verifiable client-side using whichever key the bundle authorises (the tresor-attest SDKs ship a pinned release-root pubkey and read the delegated key out of the verified bundle). May be empty in dev/unsigned mode. |
trust_bundle_url | Where to fetch the JWS-signed trust bundle that lists the allowed measurements, identity tags, and TCB floor. |
issued_at | RFC 3339 UTC timestamp of envelope generation. |
max_age_seconds | Recommended client cache TTL for the envelope. |
The SNP report's first 32 bytes of REPORT_DATA are bound to:
SHA-256( hex_decode(tls_spki_sha256) || hex_decode(workload_identity_tag) )
so a substituted certificate or a different binary cannot impersonate the endpoint without a matching valid SNP report.
| Status | Body | Meaning |
|---|---|---|
503 | {"error":"attestation_unavailable"} | Router could not capture or refresh evidence. |
The envelope is cached per pod and refreshed on a fixed cadence. Clients should cache for max_age_seconds and re-fetch on any TLS-handshake-level certificate change.
tresor-attest SDK — drop-in fetch / httpx / Go client